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AUTHENTICATION METHOD IN DATA COMMUNICATION 
AND SMART CARD FOR IMPLEMENTING THE SAME 

BACKGROUND OF THE INVENTION 
Field of the Invention 

This invention reia.es to authentication in data communication, In pamcula 
,he invention reiates to, but is no. limited to, authenticating mob,le s,at,ons 
and network servers communicating with each other through a network such 
as the Internet. 

The example which will illustrate the invention is that of a mobile commune* 
«on system comprising a mobile communication network and mob.le sta- 
tions, in this example, the network provides a service to a mob.le stat™ after 
authentication of the mobile station. The mobiie station comprises a portable 
module such as a USIM card and comprises mobile equipment (handset) 
tha . is able to communicate with the network and that is able .o commun,ca.e 
with the portable module. 

Background Art 

The present third generation (3G, standards (in particular TS 31 .02 and TS 
33 102) define the authentication protocol in a 3G network (known as AKA 
o protocol, standing for Authentication Key Agreement) between the USIM 
card and an Authentication Center (AuC). 

In this framework, the card is sen, a so-called authentication request made 
up of several data fields: 

- a random challenge (BAND); , cn „ 

25 . a sequence number (SON) or a concealed sequence number (SQNffiAK) 

- a message authentication code (MAC), 

AK being an anonymity key, the symbol . being the bitwise Exclusive OR, 
MAC being a Message Authentication Code, SON being a sequence number 
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M may indicate from its value whether the ongoing request is a reiterated 

Upon tce^o. *ese — «•* - Ca ' d C ° mPU,eS SQN ( '" TZ 
checks the MAC and checks from the SQN that the same request has no, 

5 been already sent. 

To compute the SQN (if required), the USIM: 
. computes the anonymity key AK with a function 15 (RAND, K) 
. eventuaily retrieves the sequence number SQN by way of (SQN© AK) • 
AK=SQN. 

10 fS is a key generating function used to compute AK. 

K is a Long-term secret key shared between the card and the server. 
Then the card also generates an expected message authentication code 
XMAC using the BAND, K, SQN, an additional management field (AMF) and 
a authentication function f 1 . 
15 Then the card compares the XMAC with the MAC which was .ncluded n the 
authentication request. If they are different, the card sends back to the hand- 
set a user authentication reject message with an indication of the cause and 
.he card aborts the ongoing authentication procedure. In this case, the AuC 
may initiate a new identification and authentication procedure towards the 

20 dard also verifies that the received sequence number SQN Is in the cor- 
rect range. The SQN may no. differ more than by a predetermined amount of 
the SQN stored in the card. If the card considers the sequence number no. 
t0 be in the correct range, it sends back to the AuC a synchronization faHure 
25 message and aborts the ongoing procedure. 

Such an authentication procedure is e.g. disclosed in EP-A-1 156 694. More 
details or explanations regarding the steps above may be found ,n the 
above-quoted standards for reference. 

The MAC code (and therefore XMAC) is computed .rom the whole request 
3„ data and the same authentication key as the requesting entity. Its role ,s to 
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ensure that thermos, data has not been tampered during the transmission 
Z lo warrants the card that the requesting entity actuaiiy possesses the 
same authentication key as the card. 

A s the card is checking the integrity and authenticity o, the data receded 
5 L the server, the card computes said XMAC with a mechamsm ,nvoM 
Idata to be checked aiong with the authentication key K. Then, an at- 
tacker can force the utilization of the authentication key by sending to the 
STJ Tauthenticauon request wHh strategicaiiy chosen data. By venous 
methods, such as side-channe, and perturbation attacks, ,n.orma.,on ,s re- 
10 lied leading to the partia, or totai disciosure of the authenticate key. 
To e expioitabie, most attacks require a given amount o, authenticate r. 
Quests depending on the strength of the aigorithm used to compute the 
XMAC. For each of these triais. the attacker must provide a dummy MAC 
(since it does not know the actual value of the key). 
1S n kin systems such as the one diseased in the above-quoted documen 
EP A-1 156 694, in case o, suspected tamper detection, namely whenever 
MAC and XMAC do not match, it is suggested to send beck to the requesting 
ely a message asking for re-transmitting the message, then check ega,n 
Jler the message received anew is proper or no,, and the pn> 
20 cedure in the nege.ive. However, the system disclosed in th,s do— 
does no. provide any mean for keeping track of such successe of events, 
o L nothing may prevent the attacker, after a grven authenticate prooe- 
dure is aborted, to reiterate another same procedure, or a senes o furt^e 
same procedures, until he may swindle the system to ge, access to protected 
25 data. 

SUMMARY OF THE INVENTION 

The aim of the invention is to limit the number of consecutive attacks on a 
£J . card, specify by limiting the number o, reiterated authenticate at- 
30 tempts performed thereon. 
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Th e invention sets forth a method such as disclosed in the above-quoted EP- 
I 56 694, name, an authentication method for use in a system .nclud 
t first entity and a second entity mutuaity communicating by wayo, * £ 
work, wherein said firs, entity is adapted to authenticate sa,d second en.riy 
5 and rtata received from said second entity, and wherein both firs and second 
entities store the same secret Key.said method compns.ngthest^ 

receiving by said first entity a message authenticate code and other pa 
" r—s, said message authenticating code being a function of sa,d se- 
cret key and said other parameters; 

ters which have been received and from said secret key stored ,n sa,d 

_ !r P 2g by said first entity said message authenticating code received 
and said expected code; and 
15 . aborting authentication if the message authenticating code receded and 
the expected code do not match. 
According to the present invention, there is provided a further step of. 

up da ng in said first entity a failure counter eve* time the message au- 
In. iclg code received and the expected code do not match upon 

comoarison by said first entity. 
.noZwords^heinventionconsistsinproviding-withintheUSiMcard-a 

i 2 counter updated depending on the resui, o, the comparison be^een 
MAC and XMAC in order to restrict the number o, success,ve erroneous ,, 
Zo a maximum amount, above which the key K is considered as not safe. 
„ .n this way, the number of malicious successive attacks is controlled. 

Adding to preferred implementations, the method o, the invenfion may ,n- 

30 _ r^nCysaidfirstent^fromaseguencenumberlnoludedinsaid 
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Cher parameters, whether said message authenticating code and o her 
parameters have been atready received by said first en„ty; and i sa,d 
sequence number indicates that said message authenticating code and 
other parameters have aiready been received by said firs, entity, aborung 
authentication without updating said a failure counter, 
- resetting said failure counter to its initial value if (i) the message authenti- 
cating code received and the expected code do match and (ii) sard se- 
quence number indicates that said message authenticating code and 
other parameters have not already been received by said firs, entity 
The present invention also encompasses a smart card adapted to authentt- 
cate a remote entity and data received from it. said smart card includ.ng: 
_ a memory storing authentication algorithms as well as au.hen„ca,on and 
encryption keys including a secret key which is the same as a corre- 
sponding key stored in said remote entity; 

- means for receiving from said remote entity a message authenttcattng 
code and other parameters; 

- means for computing an expected code from said other parameters and 

from said secret key; . 

- means for comparing said message authenticating code rece,ved and 

said expected code; and 

- means for aborting authentication if the message authenbcattng code re- 
ceived and the expected code do not match. 

According to the invention, said smart card further comprises: 

_ a failure counter adapted to store the number of abortion occurrences; 

5 - mels for updating said failure counter every time the comparing means 
indicate that said message authenticating code and said expected code 
do not match. 
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So thanks to its built-in failure counter and the faot that the updating ot this 
counter is controlled from inside the card, the card becomes a tamper- 
resistant, more secure device. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The foregoing and other objects, aspects and advantages of the invention 
wi „ be better understood from the following detailed description of a pre- 
ferred embodiment of the invention with reference to the appended drawings. 
Figure 1 illustrates an example of a data processing system to which the ,n- 
vention may be applied. 

Figure 2 is an example of an authentication failure counter management al- 
gorithm. 

DETAILED DESCRIPTION OF 
A PREFERRED EMBODIMENT OF THE INVENTION 



Figure 1 illustrates a system including a user equipment communicating wrth 
a server SERV by way of a network NET such as Internet or private network. 
The user equipment consists in two parts: the Mobile Equipment ME and the 
Subscriber Identity Module CARD. The mobile equipment ME is the radio 
terminal used for radio communication between the user equipment and the 
server SERV. In this example, the card CARD is a USIM smart card that 
holds the subscriber identity, performs authentication algorithms, and stores 
authentication and encryption keys and subscription information that ,s 
needed at the terminal. 

The server SERV is adapted to provide a service to a mobile station after a 
successful authentication of the mobile station. 

According to the invention, a counter in the card controls the number of au- 
thentication procedures aborted by the card. Preferably, the counter counts 
successively aborted authentication procedures. 
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Fi9ure 2 is an authentication aigorithm i.lustrating the invention, which in- 
eludes several steps S1-S16. 

in a first step (S1), the card receives an authentication request. 

In a Ind slep (S 2) , before checking the MAC, the card checKs the ,a,ure 

""The counter is zero (S3, S12), it considers that .he Key is no, safe and 
L no, proceed further. ,n this case, the card returns a secun* e to 
message (s,e P S14). After step S14, the authentication procedure ,s ter- 

minated (S15); ,..„.«. 
e,se (S3.S4), it can use the key and verify (S5) the data proved MAa 
o i, the value expected by ,he card does no, ma,ch ,he one proved 
in ,he request ,hen the card decrements the error counter (S13) 
and sends a security error notification to the ME. 
„ else it checks the SON of the request (SB), to ensure tha, i, is no, 
processing a request which has already been previously sent: 
. if the SQN appears not to be fresh (S7.S10), then the card 
sends back a ^synchronization token over the network 
(S10) as defined in the AKA. After S10, the procedure .s 
terminated (S11); 
. else, if the SQN appears to be valid (S7.S8), then, ,n this 
example, the card resets me error counter to its max.mal 
value(S8). After, the card can send a positive authentication 
result (S9). Step S16 is the end of the authentication proce- 
dure. 

, 5 once the error counter reaches zero, then the authentication key can no 
Z< be used. Thus, it aiiows only a small amount o, conserve errors. 
T he above-mentioned attacks require trials ieading to MAC —on e - 

30 FoTexampie, let us suppose tha, ,he maxima, vaiue o, ,he coun.er is 3 and 
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assume the initial value of the counter Isl.The six .Cowing consecutive au- 
thentications illustrate several possible scenarios. 

< »a..H^«nHnn:Ce....tnr S Cermet MAC , valid SQN 

Initial value of the counter: 1 

- Reception of the authentication request (S1) 

. as the counter is strictly positive (S3), a MAC verification ,s performed 
(S4) 

As the MAC is correct (S5), a SQN verification is performed (S6) 
o - As the SQN is valid (S7), the counter is reset to its maximal value, i.e. 3 
(S8). 

- The authentication result is returned (S9) 
Final value of the counter: 3 

15 o"d Aujhenticati c jr renter >Q , incorrect MAC 
Initial value of the counter: 3 
. Reception of the authentication request (S1) 

. as the counter is strictly positive (S3), a MAC verification is performed 
20 . A 3 steMACisincorrect(S5),thecounterisdec— ed. The new value 
of the counter is 2 (S1 3) 
. A security error is returned (S1 4) 
Final value of the counter: 2 

25 ^....^n.^,ln,-0 correct MAC, invalid SQN. 
Initial value of the counter. 2 
- Reception of the authentication request (S1 ) 

. As the counter is strictly positive (S3), a MAC verification ,s performed 
(S4) 

30 . As the MAC is correct (S5), a SQN verification is performed (S6) 
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. As the SON is invalid (S7), a ^synchronization token is sent. The counter 

is not modified. Its remains equal to 2. 
Final value of the counter: 2 

4 th Authentic*'™- Qoupte r - n , incorrect MAC 

Initial value of the counter: 2 

- Reception of the authentication request (S1 ) 

. As the counter is strictly positive (S3), a MAC verification is performed 

(S4). . 
As the MAC is incorrect (S5), the counter is decremented. The new value 

of the counter is 1 (S13) 
. A security error is returned (S1 4) 
Final value of the counter: 1 

fi th AuthentMtinrv Counter >0 inco rrect MAC, 

Initial value of the counter: 1 

. Reception of the authentication request (S1 ) 

. As the counter is strictly positive (S3), a MAC verification is performed 
(S4). 

3 . as the MAC is incorrect (S5), the counter is decremented. The new value 

of the counter is 0 (S13) 
- A security error is returned (S1 4) 
Final value of the counter: 0 

, 5 ^ a, ithenticati onj Qoi '"*er =0 incorrect MAC 

Initial value of the counter: 0 

. Reception of the authentication request (S1 ) 

As the counter is equal to 0 (S3), the key is blocked (S1 2) 

- A security error is returned (S1 4) 
30 Final value of the counter: 0 
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The main advantages of the invention are: 

. , he number o, presentations o, successive incorrect MACs ,s l,m,ted o 
the maxima, value of the counter (see above authentications # 2, 4. 5, 6), 
. the total number of authentications is not limited as the counter can be 

reset to its maximum value (see above authentication #1); 
. , he relation of a correct authentication request does no. reset the 
counter, as SON is necessarily invalid, and the counter will remain unal- 
tered (see above authentication # 3); 
. problems associated with SON checking do not risk to lock the card, as 

the counter is not decremented, (see above authentication # 3) 
Several variants may be contemplated: 
- the values of the counter are just given as an example; 
. the counter management may differ: the counter may be incremented ,n- 
stead of being decremented, it may change by increments of any value, ,t 
i may be compared to any value other than 0 etc.; 

. the counter may count the total amount of authentication requests; 

. ,he counter may count the number of incorrect MACs wrthout poss^es 

to reset it to its maximum value; 
. the counter may be reset as soon as the MAC is correct (i.e. without any 
, 0 further checks such as the SON validity); 

' . me counter may be decremented even if the MAC is correct and the 
SQN invalid. 



